Merge branch 'master' into custom-discarded-job-handling

1 files changed, 141 insertions, 4 deletions

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 932968fa35..753dd8589a 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,4 +1,141 @@
-*  Cookies `:expires` option supports `ActiveSupport::Duration` object.
+*   Add headless firefox support to System Tests.
+
+    *bogdanvlviv*
+
+*   Changed the default system test screenshot output from `inline` to `simple`.
+
+    `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
+    Terminal.app ignore the `inline` and output the path to the file since it can't
+    render the image. Other terminals, like those on Ubuntu, cannot handle the image
+    inline, but also don't handle it gracefully and instead of outputting the file
+    path, it dumps binary into the terminal.
+
+    Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
+
+    *Eileen M. Uchitelle*
+
+*   Register most popular audio/video/font mime types supported by modern browsers.
+
+    *Guillermo Iguaran*
+
+*   Fix optimized url helpers when using relative url root
+
+    Fixes #31220.
+
+    *Andrew White*
+
+
+## Rails 5.2.0.beta2 (November 28, 2017) ##
+
+*   No changes.
+
+
+## Rails 5.2.0.beta1 (November 27, 2017) ##
+
+*   Add DSL for configuring Content-Security-Policy header
+
+    The DSL allows you to configure a global Content-Security-Policy
+    header and then override within a controller. For more information
+    about the Content-Security-Policy header see MDN:
+
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
+    Example global policy:
+
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy do |p|
+          p.default_src :self, :https
+          p.font_src    :self, :https, :data
+          p.img_src     :self, :https, :data
+          p.object_src  :none
+          p.script_src  :self, :https
+          p.style_src   :self, :https, :unsafe_inline
+        end
+
+    Example controller overrides:
+
+        # Override policy inline
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.upgrade_insecure_requests true
+          end
+        end
+
+        # Using literal values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri "https://www.example.com"
+          end
+        end
+
+        # Using mixed static and dynamic values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
+          end
+        end
+
+    Allows you to also only report content violations for migrating
+    legacy content using the `content_security_policy_report_only`
+    configuration attribute, e.g;
+
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy_report_only = true
+
+        # controller override
+        class PostsController < ApplicationController
+          self.content_security_policy_report_only = true
+        end
+
+    Note that this feature does not validate the header for performance
+    reasons since the header is calculated at runtime.
+
+    *Andrew White*
+
+*   Make `assert_recognizes` to traverse mounted engines
+
+    *Yuichiro Kaneko*
+
+*   Remove deprecated `ActionController::ParamsParser::ParseError`.
+
+    *Rafael Mendonça França*
+
+*   Add `:allow_other_host` option to `redirect_back` method.
+    When `allow_other_host` is set to `false`, the `redirect_back`
+    will not allow a redirecting from a different host.
+    `allow_other_host` is `true` by default.
+
+    *Tim Masliuchenko*
+
+*   Add headless chrome support to System Tests.
+
+    *Yuji Yaginuma*
+
+*   Add ability to enable Early Hints for HTTP/2
+
+    If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
+
+    The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
+
+    *Eileen M. Uchitelle*, *Aaron Patterson*
+
+*   Simplify cookies middleware with key rotation support
+
+    Use the `rotate` method for both `MessageEncryptor` and
+    `MessageVerifier` to add key rotation support for encrypted and
+    signed cookies. This also helps simplify support for legacy cookie
+    security.
+
+    *Michael J Coyne*
+
+*   Use Capybara registered `:puma` server config.
+
+    The Capybara registered `:puma` server ensures the puma server is run in process so
+    connection sharing and open request detection work correctly by default.
+
+    *Thomas Walpole*
+
+*   Cookies `:expires` option supports `ActiveSupport::Duration` object.
 
         cookies[:user_name] = { value: "assain", expires: 1.hour }
         cookies[:key] = { value: "a yummy cookie", expires: 6.months }
@@ -7,7 +144,7 @@
 
     *Assain Jaleel*
 
-*  Enforce signed/encrypted cookie expiry server side.
+*   Enforce signed/encrypted cookie expiry server side.
 
     Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
 
@@ -47,7 +184,7 @@
 
     *Kir Shatrov*
 
-*   `driven_by` now registers poltergeist and capybara-webkit
+*   `driven_by` now registers poltergeist and capybara-webkit.
 
     If poltergeist or capybara-webkit are set as drivers is set for System Tests,
     `driven_by` will register the driver and set additional options passed via
@@ -57,7 +194,7 @@
 
     *Mario Chavez*
 
-*   AEAD encrypted cookies and sessions with GCM
+*   AEAD encrypted cookies and sessions with GCM.
 
     Encrypted cookies now use AES-GCM which couples authentication and
     encryption in one faster step and produces shorter ciphertexts. Cookies